National security threat: hacking the smart grid

SAN JOSE, Calif.--The nation’s smart grid is constantly under threat of real attack and potentially no amount of investment in securing it will help, according to a white hat security expert.

Speaking at DesignWEST panel on hacking the smart grid, senior research engineer Joe Loomis blasted through the buzz on smart grid and smarter energy technology, exposing the risks of hacking and full scale cyber warfare and the crippling effects it could have on national infrastructure.

“It’s critical infrastructure and society depends on it, making it a prime target for attack,” said Loomis.Indeed, as smart grid technology develops year by year, so too do the opportunities for hackers with malicious intentions on national infrastructure.

Loomis pointed to the recent Stuxnet computer worm discovered in June 2010, which took out a large portion of Iran’s nuclear centrifuge control and disrupted the delivery of nuclear fuel with its payload.That worm, whose origins are still not officially known, exploited multiple zero-day vulnerabilities, said Loomis, spreading quickly across the world and even ending up in a few systems in the United States, despite Iran being the clear target.

“What made Stuxnet more scary than anything else is the order of magnitude of sophistication over everything that came before it,” said Loomis adding that the success of the worm was proof of concept that cyber warfare was real and dangerous.

“The collateral infections are the scariest part,” said Loomis, claiming that analysis of Stuxnet pointed to it having been developed by over 40 engineers, though no country or group takes responsibility for it.

A similar worm, DuQu, was discovered more recently in September 2011 and is thought to have been developed the same team that created Stuxnet, though its purpose is apparently different, with DuQu having been designed to capture system information and keystrokes which could enable a future Stuxnet-like attack.

“People are actively pursuing cyber warfare as an attack method,” said Loomis, pointing out that the smart grid was a prime target for such an attack.

“Before, if someone wanted to shut off power to my home, the electricity company would have to send someone around, physically, to cut me off. Now, it’s all being networked and can be shut off remotely, which creates a dangerous risk,” he said.

With $3.4 billion in stimulus funds having been funneled into smart-grid technologies by the U.S. government, more and more American households and businesses are getting connected up to smart meters, with over 60 million predicted to be deployed this year alone.

That’s a scary prospect according to Loomis who claims there are already “multiple credible threats” out there.

“They could turn off our power if they wanted to,” he said.

The most difficult thing, said Loomis, was for individuals and firms to evaluate the risks and invest in protection accordingly. “These are systems that were never designed to be secured,” he said, noting that any investment may also ultimately prove worthless.

“No system is 100 percent secure,” he said. “Given enough time and access, you can reverse engineer the whole thing.”

Loomis added that even if the country, or individual businesses spent a great deal of money to secure the power infrastructure, it would still be open to compromise, and that it was thus up to every individual to determine how much money they wanted to spend on trying to plug up the security holes.

“I tell clients they should judge it on a case by case situation,” he said, recommending that people lobby for better standards and repeatedly test their systems for cracks.

“There are plenty of open source tools available that are ideal for protocol testing,” he said.

Nowadays, security systems do not involve a lot of heavy equipment. The threat currently is ‘unseen’ – cybercrime and this is currently more serious. As we are in the digital age, cyber-attacks could cost millions and confidence of the public. There is a ripple effect and sometimes, a mere millisecond could cost millions to the organization and to the public. Hacking is a very serious issue, and the damage can be limitless. I would not be surprise that these cyber-attackers would always be one step ahead of the authorities. We need to build resistant to cyber warfare systems in order to pre-empt any moves from these attackers.

Smart Grid meters should have very secure (perhaps even hardware based) features to differentiate devices eligible for load shedding (pool pumps) and those which are mission critical (hospital operating room circuits). Perhaps an external read only protective feature is appropriate to implement on some critical smart grid meters.

What is the experience of the banking industry with the security and vulnerability of SWIFT? Was it ever hacked? Did anybody discovered any vulnerabilities in it?
May be the Smart Grid developers can learn from the SWIFT network how to make it secure?